# Bind 9 DNS CHEAT SHEET IS BASED ON DEBIAN - REDHAT / FEDORA use completely different folder structure than DEBIAN for bind: https://www.isc.org/bind/ # DEBIAN # /etc/bind # /var/lib/bind https://wpcademy.com/how-to-install-bind9-dns-server-on-ubuntu-step-by-step/ https://www.linuxtechi.com/install-configure-bind-9-dns-server-ubuntu-debian/ https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-debian-9 # FEDORA # /etc/named.conf # /etc/named #/var/named # /usr/share/ipa https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-bind # DMZ STEALTH SERVER, SPLIT-HORIZON, SPLIT-BRAIN DNS https://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/ https://www.zytrax.com/books/dns/ch4/#split # Misc re-used commands named -v dig -t txt -c chaos VERSION.BIND @192.168.1.140 rndc flush sudo systemctl status named sudo systemctl restart bind9 sudo systemctl status bind9 suso systemctl restart bind9.service sudo service bind9 restart sudo named-checkconf sudo named-checkzone intensewebs.com /var/lib/bind/db.intensewebs.com sudo tail -f /var/log/syslog sudo apt update && sudo apt upgrade -y sudo apt install -y bind9 bind9utils bind9-doc dnsutils cd /etc/bind # Copy/Backup your files sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.backup sudo vi /etc/bind/named.conf.options acl trustedclients { localhost; localnets; 192.168.1.140 #ns1.intensewebs.com 192.168.1.141 #ns2.intensewebs.com 192.168.1.142 #ns3.intensewebs.com 192.168.1.143 #ns4.intensewebs.com 192.168.1.0/24; 192.168.2.0/24; }; options { directory "/var/cache/bind"; recursion yes; allow-query { trustedclients; }; allow-query-cache { trustedclients; }; allow-recursion { trustedclients; }; forwarders { 9.9.9.9; 149.112.112.112; }; dnssec-validation no; listen-on-v6 { any; }; }; # NOTE: DNSSec disabled as it was found to cause issues for Ubuntu 20.04 # 4) Define zone files backup the existing file named.conf.local e.g. sudo cp -f /etc/bind/named.conf.local /etc/bind/bak.named.conf.local.bak sudo vi named.conf.local so it looks something like this zone "intensewebs.com" { type master; file "/var/lib/bind/db.intensewebs.com"; allow-transfer { 192.168.1.141; }; also-notify { 192.168.1.141; }; }; zone "nukvm.org" { type master; file "/var/lib/bind/db.nukvm.org"; allow-transfer { 192.168.1.141; }; also-notify { 192.168.1.141; }; }; zone "iweb.city" { type master; file "/var/lib/bind/db.iweb.city"; allow-transfer { 192.168.1.141; }; also-notify { 192.168.1.141; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/var/lib/bind/db.1.168.192"; allow-transfer { 192.168.1.141; }; also-notify { 192.168.1.141; }; }; check the file for errors sudo named-checkconf 5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g. sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com sudo vi db.intensewebs.com $ORIGIN intensewebs.com. $TTL 604800 ; @ IN SOA ns1.intensewebs.com. dns.intensewebs.com. ( 58 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN NS ns1.intensewebs.com. IN NS ns2.intensewebs.com. ; IN MX 10 mail.intensewebs.com. ; alma1 IN A 192.168.1.121 git IN A 192.168.1.123 ipa1 IN A 192.168.1.124 ipa2 IN A 192.168.1.125 pg IN A 192.168.1.126 ; ns1 IN A 192.168.1.140 ns2 IN A 192.168.1.141 tdebian IN A 192.168.1.200 sd IN A 192.168.1.222 superdog IN A 192.168.1.223 ; ftp IN A 74.63.233.135 mail IN A 74.63.233.135 webmail IN A 74.63.233.135 www IN A 74.63.233.135 ; t IN A 129.146.170.34 lab IN A 129.146.170.34 ; u IN A 129.153.118.150 # check the file syntax sudo named-checkzone intensewebs.com db.intensewebs.com 6) Create a reverse lookup zone using same name specified in named- edit the file e.g. sudo vi db.1.168.192 $TTL 604800 @ IN SOA ns1.intensewebs.com. dns.intensewebs.com. ( 58 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.intensewebs.com. IN NS ns2.intensewebs.com. ns1.intensewebs.com. IN A 192.168.1.140 ns2.intensewebs.com. IN A 192.168.1.141 3 IN PTR giti.iweb.city 4 IN PTR ng1.iweb.city 66 IN PTR gitea.nukvm.org 121 IN PTR alma1.intensewebs.com 123 IN PTR git.intensewebs.com 124 IN PTR ipa1.intensewebs.com 125 IN PTR ipa2.intensewebs.com 126 IN PTR pg.intensewebs.com 140 IN PTR ns1.intensewebs.com 141 IN PTR ns2.intensewebs.com 200 IN PTR tdebian.intensewebs.com 201 IN PTR tnginx.iweb.city 222 IN PTR sd.intensewebs.com 223 IN PTR superdog.intensewebs.com sudo named-checkzone 1.168.192.in-addr.arpa db.1.168.192 7) Edit the server's DNS entry to use it's own DNS server vi /etc/resolv.conf domain intensewebs.com search intensewebs.com nameserver 192.168.1.140 nameserver 192.168.1.141 8) Start and test DNS sudo systemctl start named sudo systemctl enable named sudo systemctl start bind9 sudo systemctl status bind9 sudo systemctl status named test DNS is working e.g. host git.intensewebs.com host 192.168.1.122 ping www.amazon.com --------------------------------------- SECONDARY sudo vi /etc/bind/named.conf.local zone "intensewebs.com" { type slave; file "/var/lib/bind/db.intensewebs.com"; masters { 192.168.1.140; }; }; zone "nukvm.org" { type slave; file "/var/lib/bind/db.nukvm.org"; masters { 192.168.1.140; }; }; zone "iweb.city" { type slave; file "/var/lib/bind/db.iweb.city"; masters { 192.168.1.140; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "/var/lib/bind/db.1.168.192"; masters { 192.168.1.140; }; }; sudo systemctl restart bind9 sudo systemctl status bind9 sudo vi /etc/bind/named.conf.options acl trustedclients { localhost; localnets; 192.168.1.140 #ns1.intensewebs.com 192.168.1.141 #ns2.intensewebs.com 192.168.1.142 #ns3.intensewebs.com 192.168.1.143 #ns4.intensewebs.com 192.168.1.0/24; 192.168.2.0/24; }; options { directory "/var/cache/bind"; recursion yes; allow-query { trustedclients; }; allow-query-cache { trustedclients; }; allow-recursion { trustedclients; }; forwarders { 9.9.9.9; 149.112.112.112; }; dnssec-validation no; listen-on-v6 { any; }; };